\relax 
\providecommand\BKM@entry[2]{}
\providecommand\HyperFirstAtBeginDocument{\AtBeginDocument}
\HyperFirstAtBeginDocument{\ifx\hyper@anchor\@undefined
\global\let\oldcontentsline\contentsline
\gdef\contentsline#1#2#3#4{\oldcontentsline{#1}{#2}{#3}}
\global\let\oldnewlabel\newlabel
\gdef\newlabel#1#2{\newlabelxx{#1}#2}
\gdef\newlabelxx#1#2#3#4#5#6{\oldnewlabel{#1}{{#2}{#3}}}
\AtEndDocument{\ifx\hyper@anchor\@undefined
\let\contentsline\oldcontentsline
\let\newlabel\oldnewlabel
\fi}
\fi}
\global\let\hyper@last\relax 
\gdef\HyperFirstAtBeginDocument#1{#1}
\providecommand\HyField@AuxAddToFields[1]{}
\bibstyle{unsrt}
\citation{wikipedia}
\BKM@entry{id=1,dest={636861707465722A2E31},srcline={151}}{4C697374206F662046696775726573}
\@writefile{toc}{\contentsline {section}{List of Figures}{5}{chapter*.1}}
\BKM@entry{id=2,dest={636861707465722A2E32},srcline={159}}{4C697374206F66205461626C6573}
\@writefile{toc}{\contentsline {section}{List of Tables}{6}{chapter*.2}}
\BKM@entry{id=3,dest={636861707465722E31},srcline={1}}{496E74726F64756374696F6E}
\BKM@entry{id=4,dest={73656374696F6E2E312E31},srcline={6}}{4261636B2067726F756E64}
\citation{keylogger}
\citation{Symantec}
\BKM@entry{id=5,dest={73656374696F6E2E312E32},srcline={8}}{4D616C7761726520616E616C797369732070726F626C656D}
\citation{georg}
\@writefile{toc}{\contentsline {chapter}{\numberline {1}Introduction}{1}{chapter.1}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chap:1}{{1}{1}{Introduction\relax }{chapter.1}{}}
\@writefile{toc}{\contentsline {section}{\numberline {1.1}Back ground}{1}{section.1.1}}
\@writefile{toc}{\contentsline {section}{\numberline {1.2}Malware analysis problem}{1}{section.1.2}}
\BKM@entry{id=6,dest={73656374696F6E2E312E33},srcline={17}}{417070726F616368}
\BKM@entry{id=7,dest={73656374696F6E2E312E34},srcline={23}}{546865736973206F75746C696E65}
\@writefile{toc}{\contentsline {section}{\numberline {1.3}Approach}{2}{section.1.3}}
\@writefile{toc}{\contentsline {section}{\numberline {1.4}Thesis outline}{2}{section.1.4}}
\BKM@entry{id=8,dest={636861707465722E32},srcline={2}}{4261636B2067726F756E64}
\BKM@entry{id=9,dest={73656374696F6E2E322E31},srcline={7}}{47726F777468206F66206D616C776172652061747461636B}
\citation{kaspersky1}
\citation{kaspersky}
\citation{kaspersky}
\citation{Microsoft}
\@writefile{toc}{\contentsline {chapter}{\numberline {2}Back ground}{4}{chapter.2}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chap:2}{{2}{4}{Back ground\relax }{chapter.2}{}}
\@writefile{toc}{\contentsline {section}{\numberline {2.1}Growth of malware attack}{4}{section.2.1}}
\BKM@entry{id=10,dest={73656374696F6E2E322E32},srcline={19}}{4D616C776172652061766F6964616E636520746563686E69717565}
\citation{blackhat1}
\citation{blackhat1}
\@writefile{lof}{\contentsline {figure}{\numberline {2.1}{\ignorespaces Number of malicious program}}{5}{figure.2.1}}
\newlabel{fig:kaspersky}{{2.1}{5}{Number of malicious program\relax }{figure.2.1}{}}
\@writefile{toc}{\contentsline {section}{\numberline {2.2}Malware avoidance technique}{5}{section.2.2}}
\citation{packing}
\BKM@entry{id=11,dest={73656374696F6E2E322E33},srcline={26}}{4D616C7761726520616E616C7973697320746563686E69717565}
\BKM@entry{id=12,dest={73756273656374696F6E2E322E332E31},srcline={28}}{44796E616D6963206D616C7761726520616E616C79736973}
\citation{georg}
\BKM@entry{id=13,dest={73756273656374696F6E2E322E332E32},srcline={37}}{537461746963206D616C7761726520616E616C79736973}
\@writefile{toc}{\contentsline {section}{\numberline {2.3}Malware analysis technique}{6}{section.2.3}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.1}Dynamic malware analysis}{6}{subsection.2.3.1}}
\BKM@entry{id=14,dest={73656374696F6E2E322E34},srcline={46}}{4D616C776172652063617465676F72696573}
\citation{BlackHat}
\citation{BlackHat}
\citation{BlackHat}
\@writefile{lof}{\contentsline {figure}{\numberline {2.2}{\ignorespaces SysAnalyser tool for dynamic analysis.}}{7}{figure.2.2}}
\newlabel{fig:SysAnalyser}{{2.2}{7}{SysAnalyser tool for dynamic analysis}{figure.2.2}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.2}Static malware analysis}{7}{subsection.2.3.2}}
\@writefile{toc}{\contentsline {section}{\numberline {2.4}Malware categories}{7}{section.2.4}}
\citation{BlackHat}
\citation{BlackHat}
\BKM@entry{id=15,dest={73756273656374696F6E2E322E342E31},srcline={56}}{55736520766972757320746F74616C20746F2064657465637420746865206E616D65206F662063617465676F726965732E}
\citation{wiki1}
\BKM@entry{id=16,dest={73756273656374696F6E2E322E342E32},srcline={58}}{5573696E6720766972757320746F74616C20746F2067657474696E672076656E646F72206E616D65}
\@writefile{lof}{\contentsline {figure}{\numberline {2.3}{\ignorespaces Ollydbg tool for static analysis.}}{8}{figure.2.3}}
\newlabel{fig:OllyDbg}{{2.3}{8}{Ollydbg tool for static analysis}{figure.2.3}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.1}Use virus total to detect the name of categories.}{8}{subsection.2.4.1}}
\BKM@entry{id=17,dest={73656374696F6E2E322E35},srcline={66}}{50726F626C656D73206F66206D616C77617265206E616D65}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.2}Using virus total to getting vendor name}{9}{subsection.2.4.2}}
\@writefile{lof}{\contentsline {figure}{\numberline {2.4}{\ignorespaces Malware name is detected by antivirus engines.}}{9}{figure.2.4}}
\newlabel{fig:virustotal_listname}{{2.4}{9}{Malware name is detected by antivirus engines}{figure.2.4}{}}
\@writefile{toc}{\contentsline {section}{\numberline {2.5}Problems of malware name}{9}{section.2.5}}
\BKM@entry{id=18,dest={73656374696F6E2E322E36},srcline={69}}{4D616C776172652066616D696C696573206973207573656420696E2074686973207061706572}
\citation{ipa}
\citation{virut}
\citation{autorun}
\citation{ircbot}
\citation{gaobot}
\citation{walemac}
\citation{downadup}
\citation{mota}
\@writefile{toc}{\contentsline {section}{\numberline {2.6}Malware families is used in this paper}{10}{section.2.6}}
\@writefile{lot}{\contentsline {table}{\numberline {2.1}{\ignorespaces Malware}}{11}{table.2.1}}
\newlabel{tab:malwarefamilies}{{2.1}{11}{Malware\relax }{table.2.1}{}}
\BKM@entry{id=19,dest={636861707465722E33},srcline={1}}{52656C61746564207265736561726368}
\BKM@entry{id=20,dest={73656374696F6E2E332E31},srcline={8}}{466C6F77206772617068}
\citation{silvio}
\@writefile{toc}{\contentsline {chapter}{\numberline {3}Related research}{12}{chapter.3}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chap:3}{{3}{12}{Related research\relax }{chapter.3}{}}
\@writefile{toc}{\contentsline {section}{\numberline {3.1}Flow graph}{12}{section.3.1}}
\citation{silvio}
\BKM@entry{id=21,dest={73656374696F6E2E332E32},srcline={18}}{4F7074696D697A696E67206465636973696F6E207472656520696E206D616C7761726520636C617373696669636174696F6E2073797374656D206279207573696E672047656E6572696320416C676F726974686D}
\citation{mohd}
\@writefile{toc}{\contentsline {section}{\numberline {3.2}Optimizing decision tree in malware classification system by using Generic Algorithm}{13}{section.3.2}}
\BKM@entry{id=22,dest={73656374696F6E2E332E33},srcline={30}}{436F6E636C757374696F6E}
\@writefile{toc}{\contentsline {section}{\numberline {3.3}Conclustion}{14}{section.3.3}}
\BKM@entry{id=23,dest={636861707465722E34},srcline={1}}{436C617373696669636174696F6E206261736564206F6E206D616C776172652773206D6574612D64617461207573696E67206465636973696F6E207472656520617070726F616368}
\BKM@entry{id=24,dest={73656374696F6E2E342E31},srcline={6}}{50452066696C6520666F726D6174}
\BKM@entry{id=25,dest={73756273656374696F6E2E342E312E31},srcline={7}}{50452066696C65206F76657276696577}
\@writefile{toc}{\contentsline {chapter}{\numberline {4}Classification based on malware's meta-data using decision tree approach}{15}{chapter.4}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chap:4}{{4}{15}{Classification based on malware's meta-data using decision tree approach\relax }{chapter.4}{}}
\@writefile{toc}{\contentsline {section}{\numberline {4.1}PE file format}{15}{section.4.1}}
\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.1}PE file overview}{15}{subsection.4.1.1}}
\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces PE file format.}}{16}{figure.4.1}}
\newlabel{fig:pe1}{{4.1}{16}{PE file format}{figure.4.1}{}}
\BKM@entry{id=26,dest={73756273656374696F6E2E342E312E32},srcline={24}}{504520686561646572}
\citation{wikipedia}
\BKM@entry{id=27,dest={73656374696F6E2E342E32},srcline={54}}{4465636973696F6E207472656577696B697065646961}
\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.2}PE header}{17}{subsection.4.1.2}}
\@writefile{toc}{\contentsline {section}{\numberline {4.2}Decision tree\cite  {wikipedia}}{17}{section.4.2}}
\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Layout a file in PE header format.}}{18}{figure.4.2}}
\newlabel{fig:peheader}{{4.2}{18}{Layout a file in PE header format}{figure.4.2}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Layout of a file header}}{18}{figure.4.3}}
\newlabel{fig:fileheader}{{4.3}{18}{Layout of a file header\relax }{figure.4.3}{}}
\BKM@entry{id=28,dest={73656374696F6E2E342E33},srcline={61}}{436C617373696669636174696F6E206261736564206F6E206D616C776172652773206D6574612D64617461207573696E67206465636973696F6E207472656520617070726F616368}
\@writefile{toc}{\contentsline {section}{\numberline {4.3}Classification based on malware's meta-data using decision tree approach}{19}{section.4.3}}
\BKM@entry{id=29,dest={636861707465722E35},srcline={1}}{496D706C656D656E746174696F6E}
\BKM@entry{id=30,dest={73656374696F6E2E352E31},srcline={5}}{456E7669726F6E6D656E74}
\BKM@entry{id=31,dest={73656374696F6E2E352E32},srcline={6}}{4F7665722076696577}
\citation{tonylee}
\@writefile{toc}{\contentsline {chapter}{\numberline {5}Implementation}{20}{chapter.5}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chap:5}{{5}{20}{Implementation\relax }{chapter.5}{}}
\@writefile{toc}{\contentsline {section}{\numberline {5.1}Environment}{20}{section.5.1}}
\@writefile{toc}{\contentsline {section}{\numberline {5.2}Over view}{20}{section.5.2}}
\BKM@entry{id=32,dest={73656374696F6E2E352E33},srcline={25}}{436C617373696669636174696F6E206261736564206F6E206D616368696E65206C6561726E696E6720746563686E69717565}
\BKM@entry{id=33,dest={73756273656374696F6E2E352E332E31},srcline={26}}{4D6574612D64617461}
\citation{goppit}
\BKM@entry{id=34,dest={73756273656374696F6E2E352E332E32},srcline={29}}{43726561746520747261696E696E672064617461}
\citation{virustotal}
\@writefile{lof}{\contentsline {figure}{\numberline {5.1}{\ignorespaces The system architecture.}}{21}{figure.5.1}}
\newlabel{fig:system_architec}{{5.1}{21}{The system architecture}{figure.5.1}{}}
\@writefile{toc}{\contentsline {section}{\numberline {5.3}Classification based on machine learning technique}{21}{section.5.3}}
\@writefile{toc}{\contentsline {subsection}{\numberline {5.3.1}Meta-data}{21}{subsection.5.3.1}}
\BKM@entry{id=35,dest={73756273656374696F6E2E352E332E33},srcline={39}}{436C617373696669636174696F6E}
\@writefile{toc}{\contentsline {subsection}{\numberline {5.3.2}Create training data}{22}{subsection.5.3.2}}
\@writefile{lof}{\contentsline {figure}{\numberline {5.2}{\ignorespaces Clustering method.}}{22}{figure.5.2}}
\newlabel{fig:clustering}{{5.2}{22}{Clustering method}{figure.5.2}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {5.3.3}Classification}{22}{subsection.5.3.3}}
\@writefile{lof}{\contentsline {figure}{\numberline {5.3}{\ignorespaces Worm autorun decision tree.}}{22}{figure.5.3}}
\newlabel{fig:classificationdecision}{{5.3}{22}{Worm autorun decision tree}{figure.5.3}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {5.4}{\ignorespaces Malware classification system.}}{24}{figure.5.4}}
\newlabel{fig:classification}{{5.4}{24}{Malware classification system}{figure.5.4}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {5.5}{\ignorespaces Worm autorun decision tree.}}{24}{figure.5.5}}
\newlabel{fig:decisiontreeworm}{{5.5}{24}{Worm autorun decision tree}{figure.5.5}{}}
\BKM@entry{id=36,dest={636861707465722E36},srcline={1}}{4576616C756174696F6E}
\BKM@entry{id=37,dest={73656374696F6E2E362E31},srcline={4}}{4163637572616379206576616C756174696F6E}
\BKM@entry{id=38,dest={73656374696F6E2E362E32},srcline={40}}{456666696369656E6379206F6620636C617373696679696E67}
\@writefile{toc}{\contentsline {chapter}{\numberline {6}Evaluation}{25}{chapter.6}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chap:6}{{6}{25}{Evaluation\relax }{chapter.6}{}}
\@writefile{toc}{\contentsline {section}{\numberline {6.1}Accuracy evaluation}{25}{section.6.1}}
\@writefile{lof}{\contentsline {figure}{\numberline {6.1}{\ignorespaces The best decision tree order.}}{26}{figure.6.1}}
\newlabel{fig:ordertree}{{6.1}{26}{The best decision tree order}{figure.6.1}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {6.2}{\ignorespaces Experimental result}}{26}{figure.6.2}}
\newlabel{fig:experimentalresult}{{6.2}{26}{Experimental result\relax }{figure.6.2}{}}
\@writefile{toc}{\contentsline {section}{\numberline {6.2}Efficiency of classifying}{26}{section.6.2}}
\@writefile{lof}{\contentsline {figure}{\numberline {6.3}{\ignorespaces The best decision tree order.}}{27}{figure.6.3}}
\newlabel{fig:evaluation3}{{6.3}{27}{The best decision tree order}{figure.6.3}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {6.4}{\ignorespaces The best decision tree order.}}{28}{figure.6.4}}
\newlabel{fig:evaluation2}{{6.4}{28}{The best decision tree order}{figure.6.4}{}}
\BKM@entry{id=39,dest={636861707465722E37},srcline={3}}{436F6E636C7573696F6E}
\BKM@entry{id=40,dest={73656374696F6E2E372E31},srcline={4}}{436F6E636C7573696F6E}
\BKM@entry{id=41,dest={73656374696F6E2E372E32},srcline={9}}{46757475726520776F726B}
\@writefile{toc}{\contentsline {chapter}{\numberline {7}Conclusion}{29}{chapter.7}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chap:7}{{7}{29}{Conclusion\relax }{chapter.7}{}}
\@writefile{toc}{\contentsline {section}{\numberline {7.1}Conclusion}{29}{section.7.1}}
\@writefile{toc}{\contentsline {section}{\numberline {7.2}Future work}{29}{section.7.2}}
\BKM@entry{id=42,dest={73656374696F6E2A2E34},srcline={196}}{5265666572656E636573}
\bibdata{reference/literature}
\bibcite{SysAnalyzer}{{1}{}{{}}{{}}}
\bibcite{Symantec}{{2}{}{{}}{{}}}
\bibcite{keylogger}{{3}{}{{}}{{}}}
\bibcite{Microsoft}{{4}{}{{}}{{}}}
\bibcite{wikipedia}{{5}{}{{}}{{}}}
\bibcite{antivirus}{{6}{}{{}}{{}}}
\bibcite{kaspersky}{{7}{}{{}}{{}}}
\bibcite{ipa}{{8}{}{{}}{{}}}
\bibcite{gaobot}{{9}{}{{}}{{}}}
\bibcite{ircbot}{{10}{}{{}}{{}}}
\bibcite{autorun}{{11}{}{{}}{{}}}
\bibcite{virut}{{12}{}{{}}{{}}}
\bibcite{metamorphism}{{13}{}{{}}{{}}}
\@writefile{toc}{\contentsline {chapter}{References}{ii}{section*.4}}
\bibcite{mohd}{{14}{}{{}}{{}}}
\bibcite{blackhat1}{{15}{}{{}}{{}}}
\bibcite{machinelearning}{{16}{}{{}}{{}}}
\bibcite{packing}{{17}{}{{}}{{}}}
\bibcite{packingnews}{{18}{}{{}}{{}}}
\bibcite{waledac}{{19}{}{{}}{{}}}
\bibcite{sality}{{20}{}{{}}{{}}}
\bibcite{mota}{{21}{}{{}}{{}}}
\bibcite{kaspersky1}{{22}{}{{}}{{}}}
\bibcite{pe1}{{23}{}{{}}{{}}}
\bibcite{wiki1}{{24}{}{{}}{{}}}
\bibcite{BlackHat}{{25}{}{{}}{{}}}
\bibcite{peheaderci}{{26}{}{{}}{{}}}
\bibcite{kaspersky1}{{27}{}{{}}{{}}}
\bibcite{silvio}{{28}{}{{}}{{}}}
\bibcite{jingjing}{{29}{}{{}}{{}}}
\bibcite{yuhei}{{30}{}{{}}{{}}}
\bibcite{kevin}{{31}{}{{}}{{}}}
\bibcite{tony}{{32}{}{{}}{{}}}
\bibcite{tonylee}{{33}{}{{}}{{}}}
\bibcite{yanfangye}{{34}{}{{}}{{}}}
\bibcite{robinsharp}{{35}{}{{}}{{}}}
\bibcite{georg}{{36}{}{{}}{{}}}
\bibcite{goppit}{{37}{}{{}}{{}}}
\providecommand\NAT@force@numbers{}\NAT@force@numbers
